Exposure of Sensitive Information Due to Incompatible Policies in zoujingli/thinkadmin

Valid

Reported on

Sep 16th 2021


Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept:

please Note that this leads also to a verbose error that shows credentials of the owner .

**Ex :

Link --> https://v6.thinkadmin.top/admin.html#();

**Response:

{ "id": 10000, "usertype": "normal_code", "username": "admin", "password": "21232f297a57a5a743894a0e4a801fc3", "nickname": "\u7cfb\u7edf\u7ba1\u7406\u5458", "headimg": "https:\/\/v6.thinkadmin.top\/upload\/ec\/f571134493e54fe06855c88557052c.png", "authorize": ",,", "contact_qq": "", "contact_mail": "", "contact_phone": "", "login_ip": "58.219.66.224", "login_at": "2021-09-16 22:09:02", "login_num": 5924, "describe": "", "status": 1, "sort": 2, "is_deleted": 0, "create_at": "2015-11-13 15:14:22", "nodes": [] }

Poc Screen -->https://i.ibb.co/27pxPn0/Screenshot-from-2021-09-16-16-20-49.png

Impact

This vulnerability is capable of... claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back a year ago
邹景立 validated this vulnerability a year ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 confirmed that a fix has been merged on 4469f7 a year ago
邹景立 has been awarded the fix bounty
邹景立
a year ago

Maintainer


/^#(https?:)?(\/\/|\\\\)/.test(hash)

ranjit-git
a year ago

Hello @maintainer
Did my report https://huntr.dev/bounties/2449ccab-3377-4086-91c0-c2c8a8169ed8/ different than this report

ranjit-git
a year ago

My report closed as invalid but same report after 1 day late is marked as valid

0x9x
a year ago

Researcher


Thanks for your updates ! I hope you fixed everything here . The verbose error is really helpful to understand such errors .

0x9x
a year ago

Researcher


i confirm that the xss is duplicated . but not the verbose error .

0x9x modified the report
a year ago
0x9x
a year ago

Researcher


i hope you can accept the report as another issue . ( Verbose error contains sensitive information )

Jamie Slome
a year ago

Admin


We will now accept this as a distinct report and will reward the bounties!

0x9x
a year ago

Researcher


Thanks !

to join this conversation